Earlier this week SophosLabs was alerted to another potential eBay scam (see article on The Register). A high performance vehicle, included as a featured listing, and at a ridiculously low price had attracted suspicion.
Clicking on the item resulted in a rapid redirect to a remote (non-eBay) site. Looking through the eBay-hosted page identified the cause – an embedded Shockwave file (now detected as Troj/ReDir-A).
The Shockwave file (created with SWF Quicker), performs the redirect with a standard
The result is that the details page for the listing is loaded from a remote, Russian site.
As you can see, the page is crafted to look just like the official page, except that the embedded forms point to a mailto address, not back to eBay. Phishing for eBay credentials does not appear to the purpose of this scam – clicking on the ‘sign in’ link takes you back to the offical eBay sign-in page. Clearly the scammers are happy to abuse legitimate eBay sellers, typically those with good reputations. The seller listed in this scam was a power seller, normally associated with jewellery items.
Clicking on the bid or ‘buy it now’ buttons creates an email to the seller in the default email client, which generates a warning popup from Internet Explorer.
Looking through the root of the Russian site, it would appear this is not the first scam.